[SENTRY-1209] Sentry does not block Hive's cross-schema table renames - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.5.1
Fix Version/s: 1.8.0
Component/s: Core, Hive Binding, Hive Plugin, Sentry
Labels:
- security
Environment:

CDH 5.5.2

Description

User Pete
has read-write access to schema A
has read-only access to schema B

User Pete nevertheless was able to rename/move Hive table
from schema A to schema B (where he has read-only access):

use A;
alter table table_a rename to B.table_a;

Hive allows to use rename table syntax to move tables across schemas, not just rename.

Sentry does not check security boundaries in this case.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-1209.001.patch
30/May/16 08:26
7 kB
Colin
SENTRY-1209.002.patch
31/May/16 01:43
9 kB
Colin
SENTRY-1209.003.patch
06/Jun/16 06:49
9 kB
Colin
SENTRY-1209.004.patch
06/Jun/16 13:43
11 kB
Colin
SENTRY-1209.005.patch
07/Jun/16 02:19
11 kB
Colin
SENTRY-1209.006.patch
29/Jun/16 03:03
14 kB
Colin

Issue Links

is related to

SENTRY-2066 DB name is not set for AlterTable

Resolved

links to

Activity

People

Assignee:: Colin

Reporter:: Ruslan Dautkhanov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Apr/16 22:55

Updated:: 22/May/18 16:22

Resolved:: 15/Jul/16 01:55